Enabling Security in Scripts
By default, calls to the WMI Provider use the default Windows authentication setting. While this setting permits only authorized users to use the WMI provider, calls that are sent on the network are not encrypted. If you are calling into WMI remotely, this means the data sent between your client and the ILM 2007 FP1 server is in cleartext on the network. To protect the data, encrypt any data that is sent on the network by setting the authentication level in the WMI provider call.
You can set the authentication level by using the optional security settings component of the WMI moniker with the appropriate WbemAuthenticationLevelEnum enumeration constant.
Note Setting the authentication level is a request rather than a command; the server might not honor the request.
The WbemAuthenticationLevelEnum enumeration constants determine the authentication level of the service object. To authenticate all previous impersonation levels and sign and encrypt each data packet, use the WbemAuthenticationLevelPktPrivacy constant.
This topic contains examples that enable security in scripts.
- Enabling Security on a Local System
- Enabling Security on a Remote System Using the Current User Credentials
- Enabling Security on a Remote System Using Alternative Credentials
Enabling Security on a Local System
The following Visual Basic Scripting Edition (VBScript) example shows how to create a service object with the recommended authentication level on a local server.
Option Explicit
Const PktPrivacy = 6
Dim Service
Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer)
'* Start your script here.
Enabling Security on a Remote System Using the Current User Credentials
The following VBScript example shows how to create a service object with the recommended authentication level on a remote server. The script uses the credentials of the current user.
Replace MyServer with the name of the remote server.
Option Explicit
Const WbemAuthenticationLevelPktPrivacy = 6
Dim Locator
Dim Service
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy
Set Service = Locator.ConnectServer("MyServer", "root\MicrosoftIdentityIntegrationServer")
'* Start your script here.
Enabling Security on a Remote System Using Alternative Credentials
The following VBScript example shows how to create a service object with the recommended authentication level on a remote server. The script uses the alternative credentials of the current user.
Option Explicit
Const WbemAuthenticationLevelPktPrivacy = 6
Dim Locator
Dim Service
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy
Set Service = Locator.ConnectServer("MyServer", "root\MicrosoftIdentityIntegrationServer", "Domain\Me", "MyPassword")
'* Start your script here.
Replace the following placeholder terms with the specified information:
- MyServer with the name of the remote server
- Domain\Me with the name of the alternative user
- MyPassword with the password of the alternative user
Because this script contains a user name and password, store the script in a secure folder that has the same security level as the Microsoft Identity Lifecycle Manager 2007, Feature Pack 1 folder. Limit access to this folder.
Note We do not recommend storing user credentials in a script. If you need to run a script under a different user context, in most cases you should use the runas command to run the script. For more information, see Creating Scripts to Run Management Agents.
See Also
WbemAuthenticationLevelEnum
Setting Client Application Process Security
Setting the Default Process Security Level Using VBScript
Connecting to WMI on a Remote Computer
Connecting to the WMI Service
Creating Scripts to Run Management Agents
Send comments about this topic to Microsoft
Build date: 2/16/2009